Thursday, January 27. 2011

I discovered loads of entries in mail.log logging dicionary attacks on port 110. And, going back in time, the logs showed more than just one dictionary being used, and it had been going for some time. Well, it litters the logs and you don't want to risk that finally one of them gets lucky with a user password so I searched for a way to stop the attacks.I already used denyhosts against brute force attacks on ssh, which works fine but is limited to ssh. Instead I found out about fail2ban.

It does what I need now but it took some smoothing of edges till I got there.

now edit both /usr/bin/fail2ban-server and /usr/bin/fail2ban-client, first line, to point towards python2.4 (and not python).

#!/usr/bin/python2.4

Now fail2ban ran but still wouldn't stop the attacks. I followed the howto at http://www.howtoforge.com/fail2ban_debian_etch and while I have found plenty of good advice on that site before and after, this one didn't just work. Additionally to the config described therein a file filter.d/pop3d.conf was needed (which is easily supplied by cp courierlogin.conf pop3d.conf

Further on I had to remove a line from jail.local until it looked like this:

One thing which irritated me debugging the problem was that fail2ban didn't report the errors in the log file even though I had the loglevel set up to 4. To get to see the errors I had to run two shells, running /usr/bin/fail2ban-server -x -fin one of them and then /usr/bin/fail2ban-client reloadin the other one.